Date: Thu, 25 Sep 2014 02:26:06 +0000 (UTC) From: Sean Bruno <sbruno@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r272089 - head/sys/netpfil/ipfw Message-ID: <201409250226.s8P2Q6AS055635@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sbruno Date: Thu Sep 25 02:26:05 2014 New Revision: 272089 URL: http://svnweb.freebsd.org/changeset/base/272089 Log: Fix NULL pointer deref in ipfw when using dummynet at layer 2. Drop packet if pkg->ifp is NULL, which is the case here. ref. https://github.com/HardenedBSD/hardenedBSD commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7 PR 193861 -- DUMMYNET LAYER2: kernel panic in this case a kernel panic occurs. Hence, when we do not get an interface, we just drop the packet in question. PR: 193681 Submitted by: David Carlier <david.carlier@hardenedbsd.org> Obtained from: Hardened BSD MFC after: 2 weeks Relnotes: yes Modified: head/sys/netpfil/ipfw/ip_dn_io.c Modified: head/sys/netpfil/ipfw/ip_dn_io.c ============================================================================== --- head/sys/netpfil/ipfw/ip_dn_io.c Wed Sep 24 22:58:10 2014 (r272088) +++ head/sys/netpfil/ipfw/ip_dn_io.c Thu Sep 25 02:26:05 2014 (r272089) @@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m) /* extract the dummynet info, rename the tag * to carry reinject info. */ - dst = pkt->dn_dir; - ifp = pkt->ifp; - tag->m_tag_cookie = MTAG_IPFW_RULE; - tag->m_tag_id = 0; + if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) && + pkt->ifp == NULL) { + dst = DIR_DROP; + } else { + dst = pkt->dn_dir; + ifp = pkt->ifp; + tag->m_tag_cookie = MTAG_IPFW_RULE; + tag->m_tag_id = 0; + } } switch (dst) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201409250226.s8P2Q6AS055635>